diff --git a/src/main/java/com/google/crypto/tink/integration/gcpkms/GcpKmsClient.java b/src/main/java/com/google/crypto/tink/integration/gcpkms/GcpKmsClient.java
index 5917aa4..36c9451 100644
--- a/src/main/java/com/google/crypto/tink/integration/gcpkms/GcpKmsClient.java
+++ b/src/main/java/com/google/crypto/tink/integration/gcpkms/GcpKmsClient.java
@@ -186,8 +186,14 @@ public Aead getAead(String uri) throws GeneralSecurityException {
    *
    * <p>If {@code credentialPath} is present, load the credentials from that. Otherwise use the
    * default credentials.
+   *
+   * @deprecated It is preferable to not register KMS clients. Instead, create the GcpKmsClient
+   *     yourself and call {@link getAead} to get a remote {@code Aead}. Use this {@code Aead} to
+   *     encrypt a keyset with {@code TinkProtoKeysetFormat.serializeEncryptedKeyset}, or to create
+   *     an envelope {@code Aead} using {@code KmsEnvelopeAead.create}.
    */
-  public static void register(Optional<String> keyUri, Optional<String> credentialPath)
+  @Deprecated
+  /* OSS: public */ static void register(Optional<String> keyUri, Optional<String> credentialPath)
       throws GeneralSecurityException {
     GcpKmsClient client;
     if (keyUri.isPresent()) {